Cloning Git Repo using TFS Personal Access Token

13
votes

I am trying to programmatically clone a git repository. My ASP.NET MVC application is creating and starting a process. The code to handle the processes works correctly however the authentication is failing when trying to use a TFS on premise PAT to clone a git repository. I cannot use NTLM or require the user to enter credentials. I can confirm my C# code handling creating processes to use the git bash shell programmatically works as I have no issue on my local machine but in production on IIS the issue arises. I have tried the following two methods.

Method 1: git clone http://anyusername:PAT@tfs2017:8080/tfs/DefaultCollection/_git/Git%20Repository

PAT is the token I have generated for my user. I have tried to encode it in base64 as well.

Method 2: As suggested by a person on a MS social forum.

git -c http.extraheader="AUTHORIZATION:bearer {base64encodedPAT}" clone {url}

Original MS Forum Question for Reference: https://social.msdn.microsoft.com/Forums/vstudio/en-US/0107cf1f-7fe4-4429-af74-ca7d2be7405e/using-personal-access-tokens-in-tfs-2017?forum=tfsversioncontrol

4
gittfsiis-7.5

4 Answers

15
votes

If you have a PAT, you should not need a password: the PAT would act as your username.
See if the following works:

git clone http://PAT@tfs2017:8080/tfs/DefaultCollection/_git/Git%20Repository
6
votes

I was a bit confused after reading the article from MS. After trying out some ways, I was finally able to use my PAT against TFS and VSTS GIT Repos.

The only way I was able to get a clone of my GIT repo using a PAT was setting the http.extraheader in the GIT commandline.
The authorization tag must point to basic authentication, the protocol must be HTTPS, and the token must be BASE64 encoded, including a (fictional) user name.

Example:

git -c http.extraheader="AUTHORIZATION: Basic TXlHaXRTeW5jVXNlcjo2bHFqNXJkcHEzdXBxZWVmd2o3bDduZXN5NTR3d3gxNHFobDVlanl5NTVkb2g0M3d4YzRh" clone https://tfs.address/tfs/Collection/Project/_git/RepoName

Used basic token BASE64 encoded:

TXlHaXRTeW5jVXNlcjo2bHFqNXJkcHEzdXBxZWVmd2o3bDduZXN5NTR3d3gxNHFobDVlanl5NTVkb2g0M3d4YzRh

Basic Token BASE64 decoded:

MyGitSyncUser:6lqj5rdpq3upqeefwj7l7nesy54wwx14qhl5ejyy55doh43wxc4a

Token is constructed from <fictional user name>:<PAT from a user with rights in the project>

In this example:

Fictional user name: MyGitSyncUser Used PAT: 6lqj5rdpq3upqeefwj7l7nesy54wwx14qhl5ejyy55doh43wxc4a

PAT scope: Code (Read)

The TFS/VSTS doesn't accept "AUTHORIZATION: Bearer" headers at the moment :(

Maybe this will help someone using the PATs in TFS/VSTS.

Note: HTTPS is needed for BASIC Authentication!

5
votes

Just adding my 2c since I've spent hours on this.

I generated the PAT from DevOps and copied the clone URL but I kept get "repository not found"

GIT clone https://<PAT>@dev.azure.com/Organization/My%20Project/_git/MyRepo

Note the project has a space in it and is URLEncoded

This won't work in DOS - it resolves to

My0Project

You need to double escape it like so:

GIT clone https://<PAT>@dev.azure.com/Organization/My%%20Project/_git/MyRepo
4
votes

You can use the CredentialManager by programmatically adding the token to the machine, the same way CredentialManager would do it.
On Windows I use the cmdkey tools as follow:

cmdkey /generic:"git:https://yourdomain.visualstudio.com" /user:"Personal Access Token" /pass:"yourtokenhere"

On MacOS add an entry in the keychain:

security add-generic-password -a "Personal Access Token" -D "Credential" -s "gcm4ml:git:https://yourdomain.visualstudio.com" -w "yourtokenhere" -A

Note: Avoid using -A which allows any application to access it.

As long as the CredentialManager is installed on Git, it should work.